Phishing Email

Spear-Phishing Email: Most Favored APT Attack Bait

Introduction

Advanced persistent threat (APT) campaigns comprise a growing part of the current threat landscape. Some APT campaigns remain active, in fact, even after drawing extensive media attention. Campaigns’ routines may vary over time but their primary goal remains the same—to gain entry to a target organization’s network and obtain confidential information.

Spear phishing continues to be a favored means by APT attackers to infiltrate target networks. In a typical spear-phishing attack, a specially crafted email is sent to specific individuals from a target organization. The recipients are convinced through clever and relevant social engineering tactics to either download a malicious file attachment or to click a link to a malware- or an exploit-laden site, starting a compromise.

While spear phishing may be a timeworn technique, it continues to be effective even in today’s Web 2.0 landscape. In 2011, security firm RSA suffered a breach via a targeted attack. Analysis revealed that the compromise began with the opening of a spear–phishing email.1 That same year, email service provider Epsilon also fell prey to a spear-phishing attack that caused the organization to lose an estimated US$4 billion.2

This research paper presents Trend Micro findings on APT-related

spear phishing from February to September 2012. We analyzed

APT-related spear-phishing emails collected throughout this period

to understand and mitigate attacks. The information we gathered

not only allowed us to obtain specific details on spear phishing but

also on targeted attacks. We found, for instance, that 91% of

targeted attacks involve spear-phishing emails, reinforcing the

belief that spear phishing is a primary means by which APT

attackers infiltrate target networks.

 

What Is Spear Phishing?

Spear phishing may be defined as “highly targeted phishing aimed at specific individuals or groups within an organization.” Coined as a direct analogue to spearfishing, spear phishing makes the use of information about a target to make attacks more specific and “personal” to the target.3 Spear-phishing emails, for instance, may refer to their targets by their specific name, rank, or position instead of using generic titles as in broader phishing campaigns.4

APT campaigns frequently make use of spear-phishing tactics

because these are essential to get high-ranking targets to open

phishing emails. These targets may either be sufficiently aware of

security best practices to avoid ordinary phishing emails or may not

have the time to read generic-sounding messages. Spear phishing

significantly raises the chances that targets will read a message that

will allow attackers to compromise their networks. In many cases,

spear-phishing emails use attachments made to appear as legitimate

documents because sharing via email is a common practice among

large enterprises and government organizations—the usual targets

of APT campaigns.

The Email

In a spear-phishing attack, a target recipient is lured to either

download a seemingly harmless file attachment or to click a link to

a malware- or an exploit-laden site. The file, often a vulnerability

exploit, installs a malware in a compromised computer. The

malware then accesses a malicious command-and-control (C&C)

server to await instructions from a remote user. At the same time, it

usually drops a decoy document that will open when the malware

or exploit runs to hide malicious activity.

Figure 1: Infection chain that starts when a spear-phishing email is opened

 

 

 

 

 

 

 

 

 

Figure 2: Top spear-phishing email attachment file types

Executable (.EXE) files were not commonly used as spear-phishing email attachments. This is likely due to the fact that emails with .EXE file attachments are usually detected and blocked by any security solution. This is also why .EXE files are usually compressed and archived before being sent. They instead came in the form of .LZH, .RAR, and .ZIP files. In some cases, compressed files were even password protected to further prevent their malicious content from being detected by security solutions. The passwords are indicated in the email body along with the social engineering bait.

When attached executable files are extracted, they generally look suspicious. That is why malicious executable files often come disguised as documents with fake icons, employ the right-to-left override (RLO) technique, and use file names appended with many spaces to hide the .EXE file name extension.5

The Attachment

Spear-phishing emails can have attachments of varying file types.

We found that the most commonly used and shared file types in

organizations (e.g., .XLS, .PDF, .DOC, .DOCX, and .HWP) accounted

for 70% of the total number of spear-phishing email attachments

during our monitoring

 

 

Figure 3: Ratio of targeted emails with attachments to those

without attachments

People normally share files (e.g., reports, business

documents, and resumes) in the corporate or government

setting via email. This may be due to the fact that

downloading off the Internet in such a setting is frowned

upon. That is why a higher number of spear-phishing emails

with attachments is sent to targets in the corporate or

government sector.

Targeted emails without attachments are more often sent to

noncorporate or nongovernmental organization (NGO) targets like

activist groups and international organizations as their members

typically reside in different countries. In such a case, a spear

phishing email that lures victims to click a link and to download a

file from a remote site may not appear suspicious.

 

Figure 4: Ratio of APT corporate/government sector targets to noncorporate/NGO targets

Activist groups often have social media pages apart from their own

sites. These online pages usually contain points of contact along

with member information to facilitate information exchange, to

organize campaigns, or to recruit new members. In this case,

information availability may make them easier targets.